Network Security - ISA 656 Application Firewalls

Transcription

1 Network Security - ISA 656 Application Angelos Stavrou August 20, 2008

2 Moving Up the Stack Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Why move up the stack? Apart from the limitations of packet filters discussed last time, firewalls are inherently incapable of protecting against attacks on a higher layer IP packet filters (plus port numbers... ) can t protect against bogus TCP data A TCP-layer firewall can t protect against bugs in SMTP SMTP proxies can t protect against problems in the itself, etc. Angelos Stavrou (astavrou@gmu.edu) 2 / 36

3 Filtering levels Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Application/proxy level firewalls FTP HTTP TELNET NFS TCP Network/packet filtering firewalls IP UDP ICMP Distributed Link layer firewalls Ethernet FDDI PPP Angelos Stavrou 3 / 36

4 Advantages Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Protection can be tuned to the individual application More context can be available You only pay the performance price for that application, not others Angelos Stavrou 4 / 36

5 Disadvantages Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Application-layer firewalls don t protect against attacks at lower layers! They require a separate program per application These programs can be quite complex They may be very intrusive for user applications, user behavior, etc. Angelos Stavrou (astavrou@gmu.edu) 5 / 36

6 Example: Protecting Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Do we protect in-bound or out-bound ? Some of the code is common; some is quite different Do we work at the SMTP level (RFC 2821) or the mail content level (RFC 2822)? What about MIME? (What about S/MIME- or PGP-protected mail?) What are the threats? Angelos Stavrou 6 / 36

7 Threats Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed The usual: defend against protocol implementation bugs Virus-scanning Anti-spam? Javascript? Web bugs in HTML ? Violations of organizational policy? Signature-checking? Angelos Stavrou 7 / 36

8 In-bound Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed is easy to intercept: MX records in the DNS route in-bound to a machine Possible to use * to refer and handle the entire domain Example: DNS records exist for gmu.edu and *.gmu.edu Net result: all for that domain is sent to a front end machine Angelos Stavrou (astavrou@gmu.edu) 8 / 36

9 Different Protection Layers Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed There are are multiple layers of protection possible here The receiving machine can filter IP Addresses from spammers, providing protection at the network layer The receiving machine can run a hardened SMTP, providing protection at the application layer Once the is received, it can be scanned at the content layer for any threats The firewall function can consist of either or both Angelos Stavrou (astavrou@gmu.edu) 9 / 36

10 Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement No help from the protocol definition here But most mailers have the ability to forward some or all to a relay host Create a policy that all mail has to pass through the relay in order to be delivered Enforce this with a packet filter... Distributed Angelos Stavrou (astavrou@gmu.edu) 10 / 36

11 Combining Firewall Types Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Use an application firewall to handle in-bound and out-bound Use a packet filter to enforce the rules Angelos Stavrou (astavrou@gmu.edu) 11 / 36

12 Firewalling Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Outside Packet Filter Inside SMTP Receiver DMZ Anti Spam Anti Virus Angelos Stavrou 12 / 36

13 Policy Enforcement Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed can t flow any other way The only SMTP server the outside can talk to is the SMTP receiver It forwards the to the anti-virus/anti-spam filter, via some arbitrary protocol That machine speaks SMTP to some inside mail gateway Note the other benefit: if the SMTP receiver is compromised, it can t speak directly to the inside Angelos Stavrou (astavrou@gmu.edu) 13 / 36

14 Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Threats In-bound Different Protection Layers Combining Firewall Types Firewalling Policy Enforcement Distributed Again, we use a packet filter to block direct out-bound connections to port 25 The only machine that can speak to external SMTP receivers is the dedicated out-bound gateway That gateway can either live on the inside or on the DMZ Angelos Stavrou (astavrou@gmu.edu) 14 / 36

15 DNS Issues Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed UDP (discussed previously) Internal versus external view DNS cache corruption Optimizing DNSSEC checks Angelos Stavrou 15 / 36

16 UDP Issues Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed Remember the DNS server location discussed last time In fact, what we did there was use an application-level relay to work around packet filter restrictions We re lucky since the DNS protocol includes provision for recursion, it requires no application changes for this to work Angelos Stavrou 16 / 36

17 Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed Internal Versus External View Should outsiders be able to see the names of all internal machines? What about secretproject.foobar.com? Solution: use two DNS servers, one for internal requests and one for external request Put one on each side of the firewall Issue: which machine does the NS record for foobar.com point to, the inside or the outside server? Can be trickier than it seems must make sure that internal machines don t see NS records that will make them try to go outside directly Angelos Stavrou (astavrou@gmu.edu) 17 / 36

18 Cache Contamination Attacks Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed DNS servers cache results from queries Responses can contain additional information data that may be helpful but isn t part of the answer Send bogus DNS records as additional information; confuse a later querier Angelos Stavrou (astavrou@gmu.edu) 18 / 36

19 Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed DNS Filtering All internal DNS queries go to a DNS switch If it s an internal query, forward the query to the internal server or pass back internal NS record If it s an external query, forward the query to outside, but: Scrub the result to remove any references to inside machines Scrub the result to remove any references to any NS records; this prevents attempts to go outside directly Use a packet filter to block direct DNS communication Angelos Stavrou (astavrou@gmu.edu) 19 / 36

20 Small Application Gateways Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Distributed Some protocols don t need full-fledged handling at the application level That said, a packet filter isn t adequate Solution: examine some of the traffic via an application-specific proxy; react accordingly Angelos Stavrou (astavrou@gmu.edu) 20 / 36

21 FTP Proxy Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Distributed Remember the problem with the PORT command? Scan the FTP control channel If a PORT command is spotted, tell the firewall to open that port temporarily for an incoming connection (Can do similar things with RPC define filters based on RPC applications, rather than port numbers) Angelos Stavrou (astavrou@gmu.edu) 21 / 36

22 Attacks Via FTP Proxy Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Distributed Downloaded Java applets can call back to the originating host A malicious applet can open an FTP channel, and sea PORT command listing a vulnerable port on a nominally-protected host The firewall will let that connection through Solution: make the firewall smarter about what host and port numbers can appear in PORT commands... Angelos Stavrou (astavrou@gmu.edu) 22 / 36

23 Web Proxies Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Distributed Again, built-in protocol support Provide performance advantage: caching Can enforce site-specific filtering rules Angelos Stavrou 23 / 36

24 Application Application Modifications Adding Authentication Distributed Circuit gateways operate at (more or less) the TCP layer No application-specific semantics Avoid complexities of packet filters Allow controlled in-bound connections, i.e., for FTP Handle UDP Most common one: SOCKS. Supported by many common applications, such as Firefox and GAIM. Angelos Stavrou 24 / 36

25 Application Modifications Application Application Modifications Adding Authentication Distributed Application must be changed to speak the circuit gateway protocol instead of TCP or UDP Easy for open source Socket-compatible circuit gateway libraries have been written for SOCKS use those instead of standard C library to convert application Angelos Stavrou (astavrou@gmu.edu) 25 / 36

26 Adding Authentication Application Application Modifications Adding Authentication Distributed Because of the circuit (rather than packet) orientation, it s feasible to add authentication Purpose: extrusion control Angelos Stavrou (astavrou@gmu.edu) 26 / 36

27 Rationale Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed Conventional firewalls rely on topological assumptions these are questionable today Instead, install protection on the end system Let it protect itself Angelos Stavrou 27 / 36

28 Personal Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed Add-on to the main protocol stack The inside is the host itself; everything else is the outside Most act like packet filters Rule set can be set by individual or by administrator Angelos Stavrou 28 / 36

29 Saying No, Saying Yes Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed It s easy to reject protocols you don t like with a personal firewall The hard part is saying yes safely There s no topology all that you have is the sender s IP address Spoofing IP addresses isn t that hard, especially for UDP Angelos Stavrou (astavrou@gmu.edu) 29 / 36

30 Application-Linked Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed Most personal firewalls act on port numbers At least one such firewall is tied to applications individual programs are or are not allowed to talk, locally or globally Pros: don t worry about cryptic port numbers; handle auxiliary ports just fine Cons: application names can be just as cryptic; service applications operate on behalf of some other application Angelos Stavrou (astavrou@gmu.edu) 30 / 36

31 Distributed Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed In some sense similar to personal firewalls, though with central policy control Use IPsec to distinguish inside from outside Insiders have inside-issued certificates; outsiders don t Only trust other machines with the proper certificate No reliance on topology; insider laptops are protected when traveling; outsider laptops aren t a threat when they visit Angelos Stavrou (astavrou@gmu.edu) 31 / 36

32 Problems with Application Distributed Problems with Malicious Insiders Mobile Devices Dynamic Connectivity Evasion Malicious Insiders Mobile Devices Dynamic Connectivity Evasion Angelos Stavrou 32 / 36

33 Malicious Insiders Application Distributed Problems with Malicious Insiders Mobile Devices Dynamic Connectivity Evasion assume that everyone on the inside is good Obviously, that s not true... Insiders can cause much more damage since there is no control For example, open proxies over encrypted tunnels Angelos Stavrou (astavrou@gmu.edu) 33 / 36

34 Mobile Devices Application Distributed Problems with Malicious Insiders Mobile Devices Dynamic Connectivity Evasion Laptops and smart phones, more or less by definition, are mobile When they re outside the firewall, what protects them? Similar problems with all networked devices (over powerlines, blue-tooth) Is there a solution for mobile devices? (Personal firewalls, secure/close all unnecessary services) Angelos Stavrou (astavrou@gmu.edu) 34 / 36

35 Dynamic Connectivity Application Distributed Problems with Malicious Insiders Mobile Devices Dynamic Connectivity Evasion rely on topology and on static services If there are too many connections, some will bypass the firewall Sometimes, that s even necessary; it isn t possible to effectively firewall all external partners A large company may have hundreds or even thousands of external links, most of which are unknown to the official networking people Angelos Stavrou (astavrou@gmu.edu) 35 / 36

36 Evasion Application Distributed Problems with Malicious Insiders Mobile Devices Dynamic Connectivity Evasion and firewall administrators got too good Some applications weren t able to run Vendors started building things that ran over known ports (i.e HTTP) HTTP usually gets through firewalls and even web proxies... Angelos Stavrou (astavrou@gmu.edu) 36 / 36